---
title: Enable transient federation
description: Both integrated and standalone SAML 2.0 implementations let you link accounts temporarily (transiently).
component: pingoneaic
page_id: pingoneaic:am-saml2:enable-transient-federation
canonical_url: https://docs.pingidentity.com/pingoneaic/am-saml2/enable-transient-federation.html
page_aliases: ["saml2-guide:transient-federation.adoc", "saml2-guide:enable-transient-federation.adoc"]
section_ids:
  integrated_mode: Integrated mode
  standalone_mode: Standalone mode
  test_your_work: Test your work
---

# Enable transient federation

|   |                                                                                                                                                     |
| - | --------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | For more information on transient federation, refer to [Choose persistent or transient federation](choose-persistent-or-transient-federation.html). |

Both [integrated and standalone](saml2-sso-slo.html) SAML 2.0 implementations let you link accounts temporarily (transiently).

Before you configure transient federation, ensure you:

* Configure Advanced Identity Cloud for SAML 2.0.

* Create the [IdP](saml2-providers-and-cots.html#create-hosted-providers).

  * If Advanced Identity Cloud is the IdP, utilize the Advanced Identity Cloud admin console with [application management](../app-management/register-a-custom-application.html#custom-saml-app-setup-sso).

* Create [SPs](saml2-providers-and-cots.html#create-hosted-providers).

* Configure a [circle of trust (CoT)](saml2-providers-and-cots.html#create-cot).

* Configure Advanced Identity Cloud to support [SSO](saml2-sso-slo.html).

## Integrated mode

To enable transient federation with [integrated mode](saml2-sso-slo.html):

1. Create a journey that contains the [SAML2 Authentication node](https://docs.pingidentity.com/auth-node-ref/latest/saml2.html).

   If you have not created one yet, refer to [SSO and SLO in Integrated Mode](saml2-integrated-mode.html) for an example.

2. In the NameID Format field, specify the value `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`.

3. Save your work.

4. Initiate SSO by accessing a URL that calls a journey that includes the SAML 2.0 node:

   For example, `https://<tenant-env-sp-fqdn>/am/XUI/#login/&realm=alpha&service=mySAMLTree`.

## Standalone mode

To enable transient federation with [standalone mode](saml2-sso-slo.html):

1. Initiate SSO with either the `/spssoinit` or `/idpssoinit` URLs, including `NameIDFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:transient` as a query parameter.

   For example, to initiate SSO from the SP, access a URL similar to the following:

   ```
   https://<tenant-env-sp-fqdn>/am/spssoinit
   ?idpEntityID=https%3A%2F%2Fwww.idp.com%3A8443%2Fopenam
   &metaAlias=/sp
   &NameIDFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:transient
   ```

   To initiate SSO from the IdP, access a URL similar to the following:

   ```
   https://<tenant-env-fqdn>/am/idpssoinit
   ?spEntityID=https%3A%2F%2Fwww.sp.com%3A8443%2Fopenam
   &metaAlias=/idp
   &NameIDFormat=urn:oasis:names:tc:SAML:2.0:nameid-format:transient
   ```

## Test your work

1. Authenticate to the IdP as the user you want to link temporarily.

   On success, you are redirected to the SP.

2. Authenticate to the SP as the local user.

   The accounts are only linked for the duration of the session. Once the user logs out, the accounts are no longer linked.

   Nothing is written in the user's profile on the IdP and the SP.

   Subsequent attempts to access the SP require the user to authenticate to the IdP *AND* the SP (assuming no existing session exists), as the identities aren't linked.